This detection rule identifies malicious activity involving compiled HTML files (.chm) on Windows systems. Compiled HTML files can be used by adversaries to conceal harmful code, which is executed by the HTML Help executable (hh.exe). When users interact with these files, hh.exe may allow unauthorized execution of scripts or executables, making it a potential vector for social engineering attacks. The rule captures process starts associated with hh.exe that invoke common scripting executables (e.g., mshta.exe, cmd.exe, PowerShell) to facilitate such attacks. False positives may occur during legitimate uses of hh.exe, as it is regularly employed for opening help files in Windows. A series of recommended investigation steps and response strategies are outlined to mitigate any identified threats generated by this rule, focusing on isolating potential threats and enhancing subsequent responses to similar incidents.